 Welcome to the talk. My name is Hengwin. I'm going to talk about liquid resilience of the semi-circuit strength schemes against physical bit leakages. We see a joint work with Mashi, Anat, Tom, and Minghua. So let me start with the notion of liquid-resilient secret sharing. In a classical setting, a shuttered dealer takes a secret S and symbols and random secrets S1, S2, S10. The security guarantees that any unauthorized set of shares reveals no information about the secret. What if an adversary leaks partial information from every share? For example, it leaks 1-bit BI from every share SI. Is the secret still hidden given the leakage? In other words, is the joint distributions of the leakages B1, B2, to BN, uncreated with the secret S. So a secret sharing scheme is liquid resilience if the secret remains hidden. So why are we interested in liquid-resilient secret sharing? In fact, liquid-resilient secret sharing is a very useful remedy. It has connection to many other fields. For example, it is related to the fascinating problem of preparing error-coded codes. In this problem, the main objective is to learn minimum information from each share so that the secret can be fully reconstructed using the given information. Implicitly, if you are able to fully reconstruct the secret, then the secret sharing scheme is not liquid-resilient. On the other hand, if I misguide that, you can't fully reconstruct the secret. But the secret sharing scheme is still not liquid-resilient. If the leakages review some information about the secret S, a liquid-resilient secret sharing has been used at building blocks for secure multiparty computation protocols that are resilient to local liquid attacks. It also means you are building blocks for other primitives. For example, non-malleable secret sharing. Since the introduction, there have been two prominent research directions on liquid-resilient secret sharing. The first directions is to construct new secret sharing schemes that are liquid-resilient. So there have been a lot of fishing in work that focus on constructing new secret sharing schemes that is resilient to very sophisticated liquid attacks. However, these constructions usually incur significant overheads and it can lose the algebraic structure. For example, it can lose the linearity structure. Sometimes the linearity is very important in applications. That's why there is another line of work that studies the liquid-resilient's prominent secret sharing schemes like the additive secret sharing schemes or the shamir secret sharing scheme. And this has a significant impact on the real world implementations. Our works belong to this line of research. And next, let me introduce the context of our work before discussing the main results. We study liquid-resilient's shamir secret sharing scheme. So how does shamir secret sharing scheme work? For a given secret S, it picks a random polynomial of degree at most K minus one. So that the evolution plays at zero equal to S. And you can see in the picture here. And the shares are evaluations of the polynomial at n distinct places, at one, at two, at n. And you need at least cases to reconstruct the secret. And any less than cases gives no information about the secret S. And in our work, we consider shamir secret sharing scheme with random evaluation places. What I mean is that X1, X2, Xn are chosen uniformly at random. For the liquid model, we consider physical liquid. So all the shares are stored in their binary representations. For example, if the prime field of size 31 and if the size is six, and we will store 0, 0, 1, 1, 0. And if the share is 19, then we store 1, 0, 0, 1, 1. So liquid function may learn the physical bits of the shares. For example, so this secret bit leakage of 19 is one. So with this in mind, let me discard our main results. So the first results are feasibility results. Let lambda be the security parameter. Let us assume that every secret stress is an element from a prime field F where the size of field F is roughly to develop lambda. Let n be the number of parties and that case is a reconstructing vessel. And we assume that M bits are leaked from every shares. So our results say that with overwhelming probability, the semi-secret stress scheme is a local leakage resilience as long as the total amount of leakage is less than the N2Bs introduced by the scheme. Here's the total amount of leakage in M times N because there are N by T's and each of them leaks N bits from the shares. And the total N should be a K times lambda since each share has lambda bits. And we need exactly K shares to reconstruct the secret. And here we note that the probabilities are taken over the random choices of evaluation places. So it means that for most of evaluation places, the corresponding semi-secret strength scheme is a leakage resilience. However, for some evaluation places, it did not leak it resilience. So our results hope for any if we construct a threshold gate that a greater than or equal to two. And here I want to emphasize that all the previous results requires the reconstruction test code to be large. So our result ended post leakage resilience of CQ multi-party computations using GMW stack. So to complement the first result, we proposed a new physical leakage attacks. So we show that when the evaluation places are chosen badly, so the semi-secret strength scheme in not leakage resilience from a small reconstruction puzzle. So we name our attacks as parity attacks. It leaks the least even bit of each share and then it computes a bit B as a priority or the XOR of all the leaked bits. And this is a prediction for the secret. And we show that the advantage below about it by the differences of the irate hold distributions at P tends to infinity. And we also hope that the advantage of the constant if the reconstruction test hope is small in a full of work, I don't know how to prove that. So advantage is at least one by factorial for any reconstruction test update. Also in an ongoing work, we show that in fact, it is exponentially small in K. And this is asymptotically optimal when the number about this equal to the reconstruction test hope because it matches with the upper bound in the BDIR paper. You also want to mention that in the BDIR paper, they put that one bit general leakage to get an advantage of great to see power of minus K. Here it requires that the leakage functions in general in not a physical bit. And next, let me position our feasibility of this sort with the clone is related work. So BDIR showed that the semi secret sharing with any evasion places is ambient leakage resilience as long as the reconstruction test hope in large enough. And when M equal to one, the constant as a parameter data M equal to 0.85. And it is leakage resilience again, general leakage. In another work by Margie at all, they showed that the mass exchange sharing scheme corresponding to a random linear codes is leakage resilience as long as the reconstruction test hope at least half the number of parties. And this also again, so leakage functions, but here the constructions are random miconstructions. It is different from the BDIR result. Or BDIR is your deterministic constructions. For our work, we also have a random miconstructions, but it is for the semi secret sharing scheme. And we can see the more restricted leakage family. But we can show that it is leakage resilience for any case that is greater than or equal to two and it requires the number of parties only pulling in the security parameters. And for the rest of the talk, I will discuss the technical ideas for our paper. First, I will talk about the main technical idea for the feasibility results. Here is a, let me recall the feasibility results. We say that if the total, I will put that, if the total amount of leakage is less than the entropy and then the semi secret sharing scheme is a leakage resilience with very high probability. So to prove this, we do the following reductions. First, we suppose that we can prove that for any leakage functions, for any two secrets, the advantage is small over randomly chosen evaluation places. And with these assumptions by a union bound on the leakage functions, we can show that most information places if local leakage resilience, semi secret sharing scheme. So the second step here is quite simple. So for the rest, we will be focusing on the first item here. We want to up about the distinguish advantage. And here's an overview of how to bounding, how to bound this advantage. So we follow the standard Fourier analysis approach as in the PDIR paper. However, we encounter some bottlenecks. Who overcome this bottlenecks, we utilize the randomness of the evaluation places so that we can reduce the problem to two problems. The problem A, we need a tie estimations of an equivalence or sum. And for those problem B, we need to up about on the number of solutions to a system of equations. Well, I read because in more details about these two problems, it's a nice. So for the first problem, suppose the leakage functions is the least secret in bit leakage. And suppose so that the observed leakage is zero. Then so we need sets with the set of even number from zero to B minus one. Why? Because this number, as the least secret of this number is zero. So we are interested in up about in this sum. So intuitively, this is the A1 Fourier norm of the indicator function of the set X. So our key observations in that really sets can be represented as the digital union of a small number of bank two proper generalized arithmetic provisions. And here I want to emphasize that this is true for any physical bit leakage function not only the least secret of bits that we mentioned here. So for example, for the set eight, nine, 12 and 13, this is a right to generalize arithmetic projections. And it is the winning sense for the second least secret of bits. Fix it to zero when the the side of the field is 29. So with this key observations, it suffices to bounding the A1 Fourier norm of the rank two generalized arithmetic projections. And we show that the A1 Fourier norm of the rank two gap is bounded by this quantity. And for the second problems we need about on the number of solution of a system of equations. So we fix some alpha, we fix some vector alpha. And we consider the following system of equations as a product of this matrix with this vector alpha equal to vector zero. And we are interested in how many solution X for this equations. So in 3DT we fix some vector alpha and we are interested in counting how many dual code that has the dual of the code generated as generated by this matrix contains the vector alpha. So to bound the number of the solutions we employ a special variance of the results theorem over a finite field. And we prove that the number of solutions in most k factorial. One interesting things to observe is that if there is a solution, then it easy to say that it easy to see that there are at least k factorial solutions. Why? Because any permutation of the solutions yourself a solution. So we also, and I will resort also up about this by k factorial. So by solving these two problems we can prove our feasibility results. For the rest of the talk, I will be discussing the technical ideas for our time. So we call that our main objective is to show that the semi-secretary as a semi-secretary scheme in not a big resilience. When the evaluation places a chosen bracket for small value of my k, where k is the reconstruction threshold. So we consider a semi-secretary scheme with the number of parties is equal to the reconstruction threshold over a prime field f. And we suppose that the size of fields is equal to one module of k. So we let alpha, alpha square and alpha k to be also k primitive growth of the unity. In other words, it is the solutions of these equations. And we consider k distinct evaluation places x one equal to alpha, x two equal to alpha square and x k equal to alpha divided by k. We will show that these evaluation places are the back evaluation place. So first observe that. So some of the evaluations as x one and two to x k equal to k's time s or any polynomial p. And so liquid functions makes the least significant bits of the shares as one, as two to s k. We show that so parity of parity attacks predicts the least significant bits of the k's with constant advantage for some particular secret s. Why we can observe that the advantage is zero or statistically close to zero for a random secret s. So by an averaging argument, we can show that the parity of parity attacks distinguishes two secrets with a constant advantage. And here is some more details for the advantage. We put that it is a constant for any k equal to two or three. And we also show that it is constant for small value k. Pi's experiment. And actually it's an advantage is low about it by the discrepancy of the aggregate hold distributions as p tends to infinity. And note that the discrepancy of the aggregate hold distributions here is one by k factorial, one by k factorial, even not equal to zero. And also from the experimental results we conceptualize so advantage is potentially small in k. And as mentioned earlier, this is proven by a subsequent work. And lastly, I want to remark that our text naturally extend to evaluation places that form a code set of alpha, alpha square, alpha k. And when the number of parties is strictly greater than the reconstruction threshold, one can choose the remainder of evaluation places arbitrarily. And we can still get the same advantage using the same analysis. Now this concludes my talk. Thanks Gil for listening. If you are interested in more details, you can take a look at the full versions is available at this late. And thanks Gil again.